The Log4j vulnerability (Log4shell) and Uptrends

Summary

We take the Log4j vulnerability very seriously. Uptrends’ own software does not contain the reported vulnerability and we did not find any evidence that an attack has taken place or could take place. We have concluded our investigation.

Detailed explanation

Uptrends is aware of the recently discovered software vulnerability known as Log4shell, or more formally as CVE-2021-44228, which is related to certain versions of a Java software library named Apache Log4j. The formal announcement of the vulnerability can be found here: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228. More reference material is available at Apache’s own site at https://logging.apache.org/log4j/2.x/index.html.

We have finished investigating the Uptrends software and the services we provide, to assess whether they were affected by this vulnerability. The current situation is as follows:

  • The software developed and operated by Uptrends does not run on Java. The Log4j library is not included in our own software. This includes software running on our own platform, and software published by Uptrends that runs on devices owned by our users.
  • We have no indication that other libraries that may have been derived from Log4j are affected. The provider of our vulnerability scanning software is aware of the vulnerability, and no affected components were found. We continue to monitor any updates in that area. Additionally, the software and tools we use to build our own software have been scanned and do not contain the vulnerability.
  • We have investigated whether there is any evidence that suggests that any unauthorized access or activity has taken place on our network. No malicious activity has been found. We did observe that some legitimate software scanning companies performed some probing to find a possible attack vector in our public facing software. This did not reveal any vulnerabilities on our side.
  • We have been scanning third party software used internally for various processes. Only a small number of possible targets were found, and patches were applied immediately. No evidence of suspicious activity has been found.
  • We inquired about any affected third party software used directly for our operation. We have no indication for this. Our product services —including monitoring, reporting and alerting, as well as our support services— have continued to run without interruption.

In conclusion, no remediation efforts have been deemed necessary.